diff --git a/lib/client/api.go b/lib/client/api.go
index fc25cdba562d1..25a7957cf9d6c 100644
--- a/lib/client/api.go
+++ b/lib/client/api.go
@@ -525,24 +525,6 @@ type CachePolicy struct {
 	NeverExpires bool
 }
 
-// MakeDefaultConfig returns default client config.
-// If store is not provided, it will default to in-memory storage without
-// hardware key support. This should only be used with static auth methods
-// (TLS and AuthMethods fields).
-func MakeDefaultConfig(store *Store) *Config {
-	if store == nil {
-		store = NewMemClientStore()
-	}
-	return &Config{
-		Stdout:         os.Stdout,
-		Stderr:         os.Stderr,
-		Stdin:          os.Stdin,
-		AddKeysToAgent: AddKeysToAgentAuto,
-		Tracer:         tracing.NoopProvider().Tracer("TeleportClient"),
-		ClientStore:    store,
-	}
-}
-
 func (c *Config) CheckAndSetDefaults() error {
 	if c.ClientStore == nil {
 		if c.TLS == nil && c.AuthMethods == nil {
diff --git a/lib/client/keyagent.go b/lib/client/keyagent.go
index 9111e3df164d2..e901f61822fc3 100644
--- a/lib/client/keyagent.go
+++ b/lib/client/keyagent.go
@@ -664,7 +664,7 @@ func (a *LocalKeyAgent) Signers() ([]ssh.Signer, error) {
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
-		agentSigners = append(signers, sshAgentSigners...)
+		agentSigners = append(agentSigners, sshAgentSigners...)
 	}
 
 	// Filter out non-certificates (like regular public SSH keys stored in the SSH agent).
diff --git a/lib/client/keyagent_test.go b/lib/client/keyagent_test.go
index 8eb22b1c94128..c832de9cd01ec 100644
--- a/lib/client/keyagent_test.go
+++ b/lib/client/keyagent_test.go
@@ -278,6 +278,28 @@ func TestLoadKey(t *testing.T) {
 	}
 }
 
+func TestSigners(t *testing.T) {
+	s := makeSuite(t)
+	keyAgent := s.newKeyAgent(t)
+
+	// add the key to the local and system agent.
+	err := keyAgent.AddKeyRing(s.keyRing)
+	require.NoError(t, err)
+
+	// Check that the ssh cert (signer) appears three times:
+	// - from the client store
+	// - from the local agent
+	// - from the system agent
+	signers, err := keyAgent.Signers()
+	require.NoError(t, err)
+	require.Len(t, signers, 3)
+
+	// non ssh certs should be filtered out
+	for i, signer := range signers {
+		require.True(t, sshutils.IsSSHCertType(signer.PublicKey().Type()), "signer %d has unexpected type %s", i, signer.PublicKey().Type())
+	}
+}
+
 type caType struct {
 	signer       ssh.Signer
 	trustedCerts authclient.TrustedCerts
diff --git a/lib/web/apiserver.go b/lib/web/apiserver.go
index 80e384bac9db8..c21e4369cca70 100644
--- a/lib/web/apiserver.go
+++ b/lib/web/apiserver.go
@@ -5297,6 +5297,7 @@ func makeTeleportClientConfig(ctx context.Context, sctx *SessionContext) (*clien
 		HostKeyCallback:   callback,
 		TLSRoutingEnabled: proxyListenerMode == types.ProxyListenerMode_Multiplex,
 		Tracer:            apitracing.DefaultProvider().Tracer("webterminal"),
+		AddKeysToAgent:    client.AddKeysToAgentNo,
 	}
 
 	return config, nil